Thursday, June 28, 2012

IPv6 provides hierarchical network segmentation and
aggregation through variable length subnet masking (VLSM), which breaks the
address into a network portion and a host portion. The network prefix identifies
the number of bits in the network portion of the address, similar to CIDR
notation (e.g. /24). VLSM is the same as what was eventually adopted with IPv4
after classful boundaries proved to be a bad design decision.

IPv6 prefers to reference interfaces on a host rather than
the host itself, since a single device may have multiple interfaces with
different addresses. Therefore, technically the host portion of the address is
referred to as an “interface identifier” instead. Interface identifiers
must be 64-bits in length, according to RFC 3513. I believe this is why most
IPv6 best practice recommendations use a minimum subnet size of /64. However,
I’ve heard that this may have changed since this book was written… but for now,
let’s continue on.

The 64-bit interface identifier can be generated in three
different ways (each of which underscores the desire to maintain a
globally-unique address):

Modified EUI-64 format, which builds an IP
address based on the layer 2 address of the interface (Ethernet MAC address).

Cryptographically generated addresses (CGAs)
based on RFC 3972 through a hash function with a private key. This provides
added security and address authentication, particularly useful for the Neighbor
Discovery process.

The network portion of the address also reflects the scope
of a network domain. Three address scopes exist:

Link-Local Scope – identifies all hosts within a
layer 2 domain (e.g. the local subnet). These are referred to as Link-Local Addresses (LLAs).

Unique-Local Scope – identifies all devices
within an administrative domain, either physical or logical (e.g. all devices
within an enterprise network). These are called Unique-Local Addresses (ULAs).

Global Scope – identifies all devices reachable
across the Internet. These are called Global
Unicast Addresses (GUAs).

The scopes are hierarchical, such that the link-local scope
resides within a unique-local scope, which resides within the global scope. The
unique-local scope was requested by organizations that wanted to continue the
practice of having a “site-scope” and using private addressing only relevant
within a local site, similar to IPv4 private addressing. However, the IETF
working group felt it important to maintain globally unique addressing.

Individual hosts may or may not be aware of the address
scope, but routers must be aware of scope information carried within the
address for network segmentation and traffic forwarding. Since hosts typically
communicate with multiple other hosts in different scopes, each host interface
will typically have an address for each scope.

Personally, at this stage of my learning I find the concept
of scopes completely logical, but the need for a host interface to have multiple
addresses completely illogical and unnecessary. If a host interface has a
globally unique address, why should it require a different address when it
communicates with a host interface in another scope? Are network routing
mechanisms and security controls sufficient to handle the interaction between
host interfaces? Let’s table this question for later review and press on…

Link-Local Addresses
(LLAs)

Each IPv6 interface is provided with a layer 3 IP address
that allows it to communicate exclusively with other hosts on the same link
(subnet). Packets with LLAs as either the SA or DA should never be routed off
the local link. These addresses are used for discovering neighbors or routers,
and for on-link communications.

LLA addresses have a fixed network prefix of FE80::/10,
where the first 10 bits are 1111 1110 10, and the next 54 bits are all 0’s.
This leave only the last 64 bits for the unique interface identifier, or host
portion of the address, to be assigned. Therefore, the link-local network
prefix of every subnet overlaps with every other link-local network prefix on
other subnets. There is no hierarchy to LLAs; they are flat in nature. This
also means that LLAs are constant since they are not meaningful outside of the
local link, and are not affected by network re-numbering. For this reason, LLAs
are typically used for Neighbor Discovery advertisement by routers, and by
various protocols for next hop identification (e.g. BGP).

That also answers my
question from three paragraphs back, since LLAs are not routable, although they
may be globally unique if the interface identifier is chosen using the Modified
EUI-64 format.

Figure 1 - Link Local Address Structure

Unique Local
Addresses (ULAs)

The ULAs replaced the earlier attempt for an IPv6 site-local
scope which was ambiguous and potentially allowed non-unique addressing.
Because non-unique addressing such as private addresses in IPv4 introduce
issues with applications (e.g. embedding IP addresses in data payloads) and
routing (e.g. interconnecting discontiguous portions of a single site across
intermediate networks), ULAs were created which maintain the globally unique
structure of the Internet with IPv6.

ULA addresses have a fixed network prefix of FC00::/7, where
the first 7 bits are 1111 110L, where ‘L’ identifies the assignment policy.
Currently only a value of ‘1’ is specified designating a local assignment
(FD00::/8).

Figure 2 - Unique Local Address Structure

The next 40 bits represent the Global ID that ensures global
uniqueness of the address, which is pseudo-randomly generated but does not need
to be sequential or follow any hierarchy since it will not be aggregated for
routing globally. Hence, every “site” will have a unique Global ID. The 16 bit
Subnet ID provides the local network administrator with for hierarchical
addressing within the site. And the final 64 bits are the interface identifier
as previously discussed.

Traffic that uses ULAs as either SA or DA in packets should
not be allowed to leave the local site. ULAs prevent address collisions when
interconnecting different “sites,” and make discontiguous site topologies
easier to manage. For instance, this prevents issues such as the need to
perform address translation when interconnecting IPv4 subnets with overlapping
private IP addressing. Hooray! This definitely helps clarify the need for
address scopes (from my earlier question), but I’m still questioning why GUAs
can’t simply be used as both ULAs and GLAs.

Global Unicast
Addresses (GUAs)

GUAs provide addressing that can be used to interconnect
hosts across the IPv6 Internet. They are globally unique and globally routable.
Since IPv6 addresses are 128 bits in length, they provide a much larger quantity
of available addressing space than IPv4.

GUA addresses have a fixed network prefix of 2000::/3, where
the first 3 bits are 001.

Figure 3 - Global Unicast Address Structure

The remaining address is broken down into the following
structure:

Global Routing Prefix – delegated hierarchically
down from the IANA to Regional Internet Registries (RIRs) and subsequently to
Internet Service Providers (ISPs) and individual Organizations. The global
routing prefix uniquely identifies the RIR, ISP, and Organization to which it
assigned, and is typically /48 or smaller.

Subnet Identifier – used internally to identify
the network structure within the organization. The subnet identifier is
typically 16 bits or larger, depending the global prefix assigned to the
organization. The minimum 16 bits provides equivalent internal addressing space
as the previous 10.0.0.0/8 private addressing commonly used by organizations
with IPv4.

A lot of effort has been put into developing this simple yet
flexible structure for GUAs to provide easy aggregation when coupled with
rigorous prefix-allocation policies by the IANA and RIRs, which will be
discussed in the next post.

Unicast Addressing
Summary

LLAs – FE80::/10

ULAs – FC00::/7 (with range FC00::/8 through
FD00::/8)

GUAs – 2000::/3 (with range 2000::/4 through
3000::/4)

Cheers,

Andrew

P.S. – Please follow or get involved in the discussion on
IPv6 architecture, design, and implementation on Twitter with the #IPv6Mission
hashtag.